Using nginx as a reverse proxy

My version of CodiMD is: master (4c0efe1237bc33b52d06eaf86a28adad9a041ec2)

I’m running it behind nginx as a reverse proxy providing https.

My HedgeDoc config
{
    "test": {
        "db": {
            "dialect": "sqlite",
            "storage": ":memory:"
        },
        "linkifyHeaderStyle": "gfm"
    },
    "development": {
        "loglevel": "debug",
        "hsts": {
            "enable": false
        },
        "db": {
            "dialect": "sqlite",
            "storage": "./db.codimd.sqlite"
        },
        "linkifyHeaderStyle": "gfm"
    },
    "production": {
        "domain": "redacted",
        "host": "localhost",
        "port": 9000,
        "loglevel": "info",
        "hsts": {
            "enable": true,
            "maxAgeSeconds": 31536000,
            "includeSubdomains": true,
            "preload": true
        },
        "csp": {
            "enable": true,
            "directives": {
            },
            "upgradeInsecureRequests": "auto",
            "addDefaults": true,
            "addDisqus": false,
            "addGoogleAnalytics": false
        },
        "protocolUseSSL": true,
        "cookiePolicy": "lax",
        "db": {
            "username": "redacted",
            "password": "redacted",
            "database": "redacted",
            "host": "redacted",
            "port": "5432",
            "dialect": "postgres"
        },
        "imageUploadType": "filesystem",
        "email": true,
        "allowEmailRegister": false,
        "allowAnonymousEdits": true
    }
}
My nginx config
map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
}
server {
        server_name redacted;

        location / {
                proxy_pass http://127.0.0.1:9000;
        }

        location /socket.io/ {
                proxy_pass http://127.0.0.1:9000;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
        }

    listen [::]:443 ssl http2; # managed by Certbot
    listen 443 ssl http2; # managed by Certbot
    ssl_certificate fullchain.pem; # managed by Certbot
    ssl_certificate_key privkey.pem; # managed by Certbot
    include options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = redacted) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
        listen [::]:80;
        listen 80;
        server_name redacted;
    return 404; # managed by Certbot
}

What I expected to happen:

I get logged in when I enter my credentials.

What actually happened:

I got a 302 from /login redirecting me to the homepage, without any error message.

I already tried:

When I disable https and I don’t use the proxy, it works, I get logged-in as expected.

1 Like

@hugopeixoto found the solution on the chat, helped by @sheogorath, @davidmehren and @DerMolly.

Wen configured for https, HedgeDoc expects the user to query /login with it. The proxy was not communicating the scheme to HedgeDoc, adding the following lines to its config fixed that.

proxy_set_header Host $host; 
proxy_set_header X-Real-IP $remote_addr; 
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
proxy_set_header X-Forwarded-Proto $scheme;
2 Likes